Puppet - Configuration Management Tool

Tuesday, February 11, 2014

We would be learning about, how to set password in clients via puppet in this post. This seems to be easy task, but believe me its not.

Before, we start setting up password for user, lets checkout for some of the important files in /etc/puppet on master server, auth.conf, fileserver.conf, puppet.conf.

We would be discussing as to how to share/transfer a file to client via puppet.
We will be putting all the files to share in /etc/puppet/files directory, if directory is not existing, we need to create it, its not necessary that we need to have same name, but we stick to it.

Edit file /etc/puppet/fileserver.conf

Add mentioned lines at end, you can also search MOUNT POINTS section and uncomment it, but is is wise to have it done at end of file.

[files]
path /etc/puppet/files
allow *

Edit file /etc/puppet/auth.conf

Add mentioned lines below "path /file" section and not above it as it can implement extra security and would be hard for you to debug.

In our case 192.168.1.0/24 is private range and puppet.com as domain, set according to your convenience.

Edit file /etc/puppet/puppet.conf

In [main] section add the mentioned parameter

pluginsync = true

After doing all necessary changes, restart service for puppet master.

On master server : CentOS

/etc/init.d/puppetmasterrestart

Lets move onto setting up password in /etc/shadow file. We tried alot of methods to set password but eventually the method which worked is defined under.

First, we will create a sh file and place it in files folder in /etc/puppet.
This file basically, queries second field of /etc.shadow file and if returned with "!" it sets password, else does not executes change password command i.e chpasswd.

In this file we will add file type and exec type under accounts class, file type will share/transfer file created in above step on the client and exec type will execute chpasswd on client along with username and password. To avoid password in shadow to overwritten again and again whenever the client is synchronized, an onlyif attribute is set, wherein with the help of above script file and the user name it will query the second field for "!" and if not returned with the same result, it will not execute chpasswd utility.

Also, to remember on the client there should be a directory templates, in our case Ubuntu is by default having it, so we transferred file onto that location, location can be anything according to your convenience, but be sure to point it to right location in file type and similarly using it in exec type.

Monday, January 27, 2014

Now, that we have seen what directory and file structure should be in puppet management. Lets, discuss about user management - creation of local user on client, which is a daily/frequent task of system admin.

In the above file we have defined type accounts::system, which is done in order to ensure that every user should get home, shell as defined and not the default which is created by useradd utility. We also included variable for comment and password as these variables varies user to user and cannot be constant.

For example : If we try to create user on ubuntu via useradd utility manually, we will end up having /bin/sh as its shell until explicitly defined using -s option.

Now that the defined type is done, we can use it to actually create the system user resources.We repeat as many times as necessary to
create a system accounts::system resource for each user account you
want to manage within Puppet.

Once we are done with these configuration, we just then have to realize it in nodes.

The above command will send a certificate signing request (csr) to master server, and as csr is delivered to master, we need execute commands on master server simultaneously after we see above info i.e.